LimeSurvey 2.72.3 - Persistent XSS to Code Execution

10 Apr 2018 by Robin Peraglie

LimeSurvey is an open source and commercial web application written in PHP that enables its users to quickly design and setup scalable surveys. Last year, we scanned the at that time latest version 2.72.3 with our static code analysis tool RIPS. In this technical post we will discuss and present two of the automatically detected vulnerabilities in 1MLOC: An unauthenticated persistent cross-site scripting vulnerability in the continue later feature and an authenticated arbitrary file write vulnerability. Both vulnerabilities can be chained by an attacker in order to execute code on the targeted web server with only one payload.

Read More ...

Roundcube 1.2.2: Command Execution via Email

6 Dec 2016 by Robin Peraglie

Roundcube

Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. The mirror on SourceForge, for example, counts more than 260,000 downloads in the last 12 months1 which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser.

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible.

Read More ...